Two New Research Reports Address Knowledge Gaps and Best Practices for CRA Readiness and Compliance in Open Source.
SAN FRANCISCO – March 18, 2024 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the publication of two groundbreaking research reports, both in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe (LF Europe), that explore community-driven strategies to address open source security and the European Union’s Cyber Resilience Act (CRA). Authored by industry leaders and open source policy experts, these reports highlight knowledge gaps and best practices for CRA compliance, providing an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets.
“As regulatory landscapes evolve, Linux Foundation Research remains committed to supporting security best practices through data-driven, empirical insights,” said Hilary Carter, SVP Research at the Linux Foundation. “These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force. We hope that these reports catalyze higher levels of collaboration across the open source community.”
The first report, Pathways to Cybersecurity Best Practices in Open Source: How the Civil Infrastructure Platform, Yocto Project, and Zephyr Project are Closing the Gap to Meeting the Requirements of the Cyber Resilience Act, examines how three Linux Foundation projects are meeting the CRA’s minimum compliance requirements. The report provides a textual analysis of the CRA, a brief overview of the Civil Infrastructure Platform (CIP), Yocto Project, and Zephyr Project, and details the best practices each project has adopted to comply with the core requirements of the CRA. The report provides insight on the elements needed to ensure leadership in cybersecurity best practices, and includes a set of resources to aid other open source stakeholders in their CRA compliance journeys.
“Navigating the CRA requires a strategic approach that balances compliance with the fundamental principles of open source development,” said Gabriele Columbro, General Manager of Linux Foundation Europe. “At the Linux Foundation, we host some of the most important projects running global critical infrastructure, and this research underscores our commitment to provide actionable insights based on the CRA readiness of three of these projects, with immediate relevance to manufacturers, industry leaders, and open source communities across Europe and around the world.”
The second report, Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source, highlights significant knowledge gaps in the open source ecosystem regarding the CRA, which imposes cybersecurity requirements on products with digital elements. Survey data outlined in the report reveals that most respondents are unfamiliar with the CRA, uncertain about compliance deadlines, and unaware of non-compliance penalties. Manufacturers, who bear primary responsibility, lack readiness—many passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
“Ensuring software supply chain security is essential for maintaining trust in open source,” said Steve Fernandez, General Manager, OpenSSF. “This report highlights significant knowledge gaps and key strategies to help organizations meet regulatory obligations outlined in the CRA regarding secure software development, while preserving the collaborative and decentralized nature of open source.”
Linux Foundation Research will continue to support open source communities, industry partners, and regulatory bodies to advance secure software development practices that recognize the unique dynamics of open source, while balancing regulatory compliance with open innovation.
The full reports are available here:
- Pathways to Cybersecurity Best Practices in Open Source: How the Civil Infrastructure Platform, Yocto Project, and Zephyr Project are Closing the Gap to Meeting the Requirements of the Cyber Resilience Act
- Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source
Supporting Quotes
“The CRA introduces both challenges and opportunities for industrial and critical infrastructure sectors that depend on open source. CIP, for almost a decade, has been focusing on delivering a secure Linux foundation for products in these sectors. Through our collaboration with the Linux Foundation, we are working to ensure that compliance strategies align with industry needs while preserving the long-term security, reliability, and sustainability of open source technologies.”
– Urs Gleim, Governing Board Chair, Civil Infrastructure Project (CIP)
“When the Zephyr Project launched 9 years ago, applying security best practices was a core focus. As the project evolved, we continued to integrate best practices as they emerged to support product developers using Zephyr RTOS. Our prior work has made CRA readiness possible today and provides insight into how open source projects can prepare, while still maintaining the flexibility and innovation that define open source development.”
– Kate Stewart, Vice President of Dependable Embedded Systems, the Linux Foundation.
“The Yocto Project as of the core technologies in today’s embedded Linux ecosystem recognizes the importance of proactive security and compliance in light of the CRA. This report provides critical insights to help both open source communities and enterprises effectively navigate the evolving regulatory landscape while maintaining the agility needed for innovation.”
– Andrew Wafaa, Governance Board Chair, Yocto Project
***
About the Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
Media Contact
Noah Lehman
The Linux Foundation